Palo Alto Firewall Monitoring
Last updated on 17 March, 2023Setting Your API Key as a Device Property
Palo Alto firewalls expose a small amount of data by SNMP, but in order to get comprehensive monitoring it is necessary to also use the Palo Alto API. Therefore, you should ensure that SNMP is enabled and configured correctly on your device as well as set your Palo Alto API key as a device property in LogicMonitor.
To get your API key and set it as a device property:
- This process can be initiated from the command line or browser:
- From the command line, as detailed in the Palo Alto XML API manual, make a GET or POST request to the firewall’s hostname or IP addresses using the administrative credentials and type=keygen:
curl -k -X GET 'https://<firewall>/api/?type=keygen&user=<username>&password=<password>'OR
curl -k -X POST 'https://<firewall>/api/?type=keygen&user=<username>&password=<password>' - From a browser, generate the key by entering the below URL into your address bar:
https://<firewall>/api/?type=keygen&user=<username>&password=<password>
Note: Replace firewall, username, and password in the above URL with the appropriate values. Any special characters in the password must be URL encoded (your browser will most likely do this for you.)
- From the command line, as detailed in the Palo Alto XML API manual, make a GET or POST request to the firewall’s hostname or IP addresses using the administrative credentials and type=keygen:
- The result will be an XML block that contains the key. The key should be formatted similar to the following: gJlQWE56987nBxIqyfa62s23RtYuIo2BgzEA9UOnlZBhU.
- Copy the key value and use it as the value for a device property named paloalto.apikey.pass.
Note: Ensure this property is set on all Palo Alto devices, including the Panorama management server. It is easiest to set this property at the root level of your LogicMonitor account; this allows the DataSources to connect via the API. For more information on setting properties, see Resource and Instance Properties.
Troubleshooting: Discard Session
In some cases, Palo Alto Firewalls allow SNMP requests from a Collector to a device, but block the response from the device back to the Collector. This is evidenced by a discard session on the firewall for the response packet (that is, discard UDP from device:snmp port -> collector:highport). This discard session would then block ALL subsequent SNMP responses from the device back to the Collector that are using the same port on the Collector, until a Collector restart or other event allows the discard session to expire (after no traffic for 30-60 seconds). This could potentially result in SNMP data collection issues where traffic from a Collector to its monitored devices flows across a Palo Alto Firewall.
Possible workarounds:
- Increase the Palo Alto UDP session timeout from 10 seconds to 30 seconds
- Open bidirectional firewall policies such as:
- allow collector:highports -> device:snmp
- allow device:snmp -> collector:highports